2002-01-3210 

A Configurable Solid State Power Management And 

Distribution System 

John M. Maxwell, Jr. 
John H. Blumer 
Blake Burden 

The Boeing Company, Phantom Works 

Copyright © 2001 Society of Automotive Engineers, Inc. 



ABSTRACT 

Future vehicle power systems must achieve greater 
flexibility and reliability than those used in previous 
generations. New functions that enhance safety, such as 
arc detection and wiring integrity verification, are 
essential for new systems. Embedded autonomous 
control, and fault correction can be built into Fault 
Tolerant Processors that integrate into a vehicle Open 
System Architecture. This approach will provide status 
and fault detection information to maintenance 
interfaces and provide fault correction. Safety is 
enhanced by the prevention of dangerous restarts from 
crew and personnel. The embedded features allow for 
pre-flight mission configuration to setup systems before 
takeoff and on-board and off-board maintenance 
control. This enables operators to evaluate power 
system health and history to help reduce turn around 
time. A solid-state switch that integrates these essential 
capabilities demanded by the industry for future power 
systems and fault correction and health status power 
system is presented. 

INTRODUCTION 

The development of a Configurable Solid State Power 
Management And Distribution system (PMAD) will lower 
overall costs, maintenance times, and increase the 
safety of the vehicle. The PMAD system is capable of 
being controlled and configured remotely as well as 
capable of reporting back detailed power system status 
to the master control system or ground support 
equipment. This operation capability can be integrated 
into either a new vehicle system or retrofit in a previous 
generation heritage system during a system upgrade. 

With new air and spacecraft evolving from existing 
proven designs, as well as clean slate designs, demands 
on the vehicle power systems are increasing greatly. As 
more and more functions are being turned over to 
computers and electromechanical devices, the power 
requirement for computational equipment increases. 
Eliminating hydraulic systems introduces the need to 



supply, control, and protect high power 
electromechanical actuators. Also, as entertainment and 
business systems access is being integrated into aircraft 
seats, more power cables are being placed close to 
passengers, which will require new safety approaches. 
Human error in resetting tripped circuit breakers has 
lead to problems during flight. 

Events of this nature may be eliminated with a self- 
monitoring power system. Safety of crew, passengers, 
and vehicle can be increased by a power management 
system that can monitor and self evaluate the status of 
the power system itself. A fault tolerant power system 
that would not require human intervention for decisions 
would eliminate human errors such as the one 
mentioned above from happening. By the power system 
becoming a system of systems through Integrated 
Vehicle Health Management (IVHM) and Avionics, the 
power system becomes not only safer but also more 
efficient from a vehicle point of view. The IVHM system 
can be used to evaluate the power system conditions 
under a degraded mode. The IVHM system can give 
suggestions for a crew to accept to allow the system to 
be configured to operate in a more efficient manner and 
conserve power by shutting down systems that are not 
needed when a piece of equipment has failed. 

By being remotely controlled and not requiring direct 
human intervention, the PMAD eliminates the need for a 
circuit breaker panel and allows control to be 
autonomous and/or allows control through crew interface 
panels and ground support equipment. This also allows 
the PMAD units and devices to be located close to the 
loads that are being controlled and protected, thus 
reducing the need of long, heavy gauge wiring. This will 
shorten cable lengths, reduce weight, increase power 
efficiency, decrease power loss due the parasitic 
impedance in long cables, eliminate mechanical circuit 
breakers and eliminate the arc points that come with 
mechanical contacts. 

The arc detection, fault correction and ground fault 
circuit interrupt (GFCI) functions via the Solid State 



Power Controller (SSPC) utilize an embedded micro- 
controller or Digital Signal Processor (DSP) for 
processing. Each SSPC contains the means to test 
wiring in the vehicle automatically upon suspicion of an 
arc event. The SSPC can test a wire per instruction of 
maintenance crews using the Damage Wire 
Detector/Locator (DWDL) integrated inside the SSPC. 
By using the PMAD status to virtually predict suspected 
problems within the vehicle and have the vehicle's 
avionics system provide information in advance to 
maintenance depots via dedicated network ports, 
ground crews can have equipment and replacement 
parts available upon arrival of the vehicle. This will allow 
the vehicle to be repaired and returned to service faster 
than having to await the arrival and then troubleshoot 
the vehicle. The SSPC also allows for an autonomous 
restart of a tripped SSPC upon power bus recovery, and 
at the same time prevents dangerous resetting of 
SSPCs under certain pre-configured conditions. 

PMAD DESIGN AND APPLICATION 

The main thrust of a modern PMAD system design is to 
increase vehicle safety and reliability. The proposed 
method in this paper is to approach reliability for the 
PMAD system through a fault tolerant redundant design. 
On the vehicle side, the PMAD increases vehicle safety 
and reliability by monitoring the systems it has 
interfaces with for possible failure indications. This 
includes items unique to power systems, such as arc 
detection and wiring degradation, or interfacing to the 
IVHM system to determine the probable source and 
cause of failure and appropriate action. 

A solid state programmable PMAD system provides 
considerable flexibility in system level architecture. To 
minimize wiring weight, two architectures are primarily 
considered. Both designs utilize an operator command 
remote interface with the semi-autonomous or a fully 
autonomous PMAD system operating in a centrally 
located position. This can consist of a single unit with 
command/control functions and power switching circuitry 
all in one box or a unit with some or all of the power 
switching circuitry remotely located near the user power 
device. Either architecture will significantly minimize 
the wiring weight by reducing the distance between the 
Power Distribution Units (PDU) and the power device. 
In such architecture, the only significant wire run would 
be the main and possibly the auxiliary power line instead 
of the multiple lines to the individual devices. Each 
case could have the basic functions programmable so 
the switching would remain the same for either 
architecture. It is estimated that the distributed wire 
lengths can be reduced to approximately 25 feet or less 
per output channel when the PDUs are placed among 
the loads. This also reduces the amount of bulkhead 
passthroughs and connectors. An example PMAD 
distribution architecture is shown in Figure 1. The 
redundant avionics busses also represent the IVHM 
interfaces. 




WEARABLE 
COMPUTER 



Figure 1 . Generic Power Distribution and Management 
System Block Diagram 

Autonomous on-board operations that the IVHM system 
manages are the gathering of fault data and setting the 
power system to operate more efficiently in the event of 
degraded mode of operations. The fault data may be 
transmitted to the ground for advanced evaluation, and 
ground crews can have the appropriate equipment and 
replacement parts waiting for arrival. The Off-board 
operations allow the ground maintenance crew to 
download fault data for evaluation and also allow them 
to operate systems for a centralized location. The 
Ground Support Equipment (GSE) is capable of 
controlling each SSPC on-board the vehicle. 

PMAD SYSTEM DEVICES BEING PRESENTLY USED 
OR DEVELOPED 

An example of a modern Solid State Power Distribution 
Unit that is integrated into a PMAD system is the Solid 
State Power Control Module (SSPCM), shown in Figure 
2. The SSPCM is presently aboard the International 
Space Station and operates in a semi-autonomous 
mode controlling various payloads and computing 
equipment. Once setup through either another 
computer system or setup by an astronaut via a simple 
RS-232 port on a Laptop computer, the SSPCM 
operates without user intervention. Using the internal 
solid-state programmable circuit breaker, a power user 
is constantly monitored and real time current data 
relayed to the end user. If a power user exceeds a set 
power profile and current setting the breaker will trip. 
The SSPCM may be configured to simply flag the 
remote user or recycle power at a set interval, giving the 
unit an automated recovery sequence. The SSPCM also 
provides for automatic controlling of resources. For 
instance, when the power used exceeds the power 
available the payloads are automatically released based 
on a load criticality table. The concepts described in this 
paper build upon proven concepts, while providing an 
even greater level of safety and control. This is 
accomplished by implementing various tests either 
automatically or commanded for both wiring and system 



faults that might not trip a circuit breaker, or even a 
solid-state unit. 




Figure 2. International Space Station version of the SSPCM. 

Designs performing the same functionality, but using 
COTS components can be designed and built at a 
fraction of the size. The unit size in Figure 2 is driven to 
a large extent by the thermal dissipation. It has 
integrated 120V to 28V DC-DC conversion and is 
capable of 2200W of 28V output power. An example of 
a PMAD with fully digital and programmable SSPCs and 
COTS components is shown in Figure 3. This design 
can be readily modified for a range of input voltages and 
is capable of controlling up to 16 output channels. 




Figure 3. Digitally Programmable Solid State Power 
Controller 

VEHICLE SAFETY AND ARC FAULT DETECTION 
AND WIRING DEGRADATION 

As wiring harnesses and vehicles age, the probability of 
significant failures due to wiring harness failures and 
insulation goes up significantly. These can range from 
simple charring of wiring to arcing and fires, resulting in 
loss of vehicle and life. Several high profile commercial 
jet losses have been attributed to wiring and or 
insulation failures that resulted in arcing events that 
caused fires. A loss of an AC Phase A power three 
years ago on the Space Shuttle (STS-93), four seconds 
into the flight was also attributed to a short in the wiring 
harness. Unfortunately no method exists for detection 
and squelching of these types of failure modes. At least 



one commercial airline is initiating a program to replace 
vehicle wiring at planned intervals to eliminate the aging 
wire problem. However, even an expensive plan like 
this cannot accommodate all premature failures due to 
things such as:. 

. Debris 

. Chaffing 

« Moisture infiltration 

■ Premature aging of insulation 

■ Erroneous installation either during assembly or 
subsequent repair 

. Damage by technician during other vehicle system 
work/repair 

While life cycle cost and ease of vehicle control is a 
significant design driver in a new PMAD system, the 
main design drivers are overall increased vehicle 
reliability and safety of the human crew and passengers. 
Thus two unique features are being integrated into the 
PMAD architecture to detect failures before significant 
damage has occurred. First is the detection of arcing 
and quick suppression of the arc. The second is wiring 
degradation detection prior to arcing or other failure 
mode. 

Arc Detection and Wiring Degradation Module 

A Programmable Solid State Circuit Breaker/Switch 
(PSSCB/S) With Arc Detection and Damaged Wire 
Detector/Locator Module was designed as an upgrade 
for the unit shown in figure 3. A prototype of this module 
is shown in Figure 4. 




Figure 4. Prototype PSSCB/S with Arc Fault Detection and 
Damaged Wire Detector/Locator Module. 

The SSPC provides an excellent base platform on which 
to build arc detection and integrated wire testing due to 
the inherent load monitoring functions. The PSSCB/S 
module integrates several features critical to arresting 
wiring failures prior to actual damage, such as: 

. Integrated over current, over/under voltage and 

over/under temperature monitoring. 
. User selectable current, voltage and temperature 

limits from Maintenance Testing Equipment. 
. Short circuit protection and no turn-on into a shorted 



circuit. 

. Integrated Arc Fault, GFCI and Damaged Wire 
detection. 

. Fault detection and health status via serial data bus 
interface. 

Combining the above features into a modular network 
ready package benefits the entire system. The 
modularity of the PSSCB/S module not only saves 
space with its design, but it will also save weight in 
wiring by being co-located with the load. An estimate of 
the weight of wire capable of 30kW at 270Vdc is 
approximately a half of a pound per foot. The cable 
weight and losses are reduced by minimizing the lengths 
of wiring, which is accomplished through the capability 
of locating the PDU devices near the load. 

The design can be integrated into a standard circuit 
breaker size, as shown in figure 5. Another approach is 
to replace an entire circuit breaker panel with a semi- 
autonomously controlled solid state PDU type panel, as 
the one shown in Figure 9. This packaging allows the 
power controllers to fit into same the area where the 
circuit breaker panel was located. On other approach is 
to incorporate remotely controlled PDU similar to the 
unit shown in figure 3. This would allow the power 
controllers to be located closer to the loads that are 
being protected. The scalability of the design can 
accommodate both legacy aerospace vehicles and 
today's dean sheet vehicle designs. 




Figure 5. Example of a Programmable Solid State Circuit 
Breaker. 

The PSSCB/S also offers an array of built-in safety 
features. The integrated health and status functions of 
the device not only serve as safety features but also as 
maintenance features. The device not only stores the 
type of fault, but it also stores the location of the fault 
along the wire. This will drastically reduce maintenance 
times by giving a location to examine when the arc 



event may have only browned an area instead of having 
a complete burn through. Features such as Ground 
Fault Circuit Interruption (GFCI) protection to flag any 
grounding faults are also built into the device. The 
microcontroller automatically shuts off the device if a 
cable or connector is changed or if an arc event was 
previously detected. In the case of microcontroller 
failure, the device includes watchdog circuitry for 
placing the output in safe mode to preserve any critical 
data or maintenance records. Any firmware updates 




needed for the microcontroller may be updated via 
serial maintenance port. 



Figure 6. Damaged Wire Detector/Locator Maintenance and 
Analysis Display. 

An example display from a wiring harness test is shown 
in Figure 6. The left view shows data stored from initial 
training session on a fifty-foot wire with a load. The right 
view shows data from a short that is located 
approximately 12 1/2 feet down the same fifty-foot wire 
with load. This is a good example of the type of 
maintenance screen which allows the technician to save 
time when looking for a damaged wire. These 
maintenance screens are based on off the shelf wire 
testing displays to minimize training of personnel to use 
the system. Additional damaged wire locator analysis 
software tools are being developed at this time that will 
autonomously compare data to minimize error in human 
eye comparison of the data on the display screens. 

PMAD FAULT TOLERANCE AND REDUNDANCY 

In order to reduce PMAD and system cost, as well as 
use the latest generation of electronic components, the 
use of Commercial Off The Shelf (COTS) parts is 
utilized. For the purpose of this paper COTS is defined 
as any commercial available component whether it is 
commercial, industrial, or military grade. In order to 
increase PMAD system reliability, while simultaneously 
decreasing the cost (both purchase and maintenance or 
life cycle costs) the use of redundant components is 
needed. 



In order to assure high reliability and a low cost for 
future vehicle programs, enabling technology items 
need to be addressed. Some of the major items include 
Fault Management (both BIT and hosting IVHM), Power, 
Environmental Considerations, System Reliability, 
Modularity, and overall System Cost with emphasis on 
recurring/operational costs. The heart of the fault 
containment and resultant reliability is the Fault Tolerant 
Processor Module (FTPM). Scalable system level fault 
tolerance can be achieved by first providing redundant 
resources at the Line Replaceable Unit (LRU) and lower 
levels, e.g. redundant modules within a LRU or 
redundant resources on the same module. Then, a N- 
to-N LRU level Cross-Channel-Data-Link (CCDL) design 
(i.e. each LRU is directly connected to every other LRU 
in the redundant configuration) enables the system 
configuration to be scalable from N to 1 . The necessary 
features of the CCDL include, as a minimum, 
synchronization, voting and/or comparison design, and 
fault management of the CCDL hardware and operation. 
An example of PDU devices in a PMAD system 
interconnected with fault tolerant channels is shown in 
Figure 7. 




Figure 7. PMADs interconnect via FTPM and Fault 
Tolerant Data Links. 



To achieve transparency, hardware fault tolerant 
features (such as self-checking pairs and Error 
Detection and Correction codes) and software fault 
management routines are required. Fault management 
routines can be largely classified into two categories: 1) 
building block or infrastructure fault management, and 
2) system or application fault management. 

The PMAD system fault tolerant scheme offers the 
following benefits to the system: 

. Multi-layered protection against single event upsets or other 
errors and thus improves safety and enables flight/ launch 
with failure 

. Tolerant of N faults with N+1 channels, instead of N+2, 



reduces hardware cost and weight and 

increases reliability 
m Eliminates false alarm with added confirmation step 
. Subsystem level fault containment maximizes the ability to 

achieve single LRU fault ambiguity 

performance 
. Single LRU level fault ambiguity performance 

reduces cannot-duplicate, reduces maintenance costs, and 

improves turnaround 
■ Improves confidence with verified fault coverage 

performance 

. Co-location of flight-critical and non-critical functions 

One of the major advantages on a transparent scalable 
system is the ease with which additional units can be 
added to increased system reliability as required. Figure 
8 shows some examples of redundant configurations to 
ensure system reliability from unmanned to the most 
flight critical manned systems, such as Space Shuttle 
type architecture. 




Dual -redundancy Triple- Redundancy Quad-Redundancy 




Figure 8. Example Redundancy Schemes. 



VEHICLE INTEGRATION 

Several options are available pending on vehicle size, if 
it is a new design or retrofit, and reliability requirements. 
The basic requirements of increased safety of flight and 
reduced life cycle costs will determine the optimal PDU 
location. Remotely distributed PDUs may be the solution 
for a military vehicle that may sustain combat damage. 
For a commercial vehicle, however, a central location 
may help reduce life cycle cost by allowing easier 
access to the system. 

Systems in legacy vehicles benefit from new features 
such as solid state power controllers, arc fault detection 
and/or integrated wire testing face the difficulties of 
having limited allocated areas where circuit breaker 
panels exist. Changing out wiring harnesses to meet 
new PDU architectures is not cost effective and retrofit 
times are great. An option to package the SSPCs and 
integrated arc fault/wire testing capabilities is possible. 
By applying the solution as a power density versus area 



approach, the desired functions can be implemented 
while still maintaining the same power cable 
arrangement. The power control and fault detection 
functions can be integrated into a panel assembly that 
will fit into the area where the previous circuit breaker 
panel was located. An example of the Power Distribution 
Assembly (PDA) is shown in Figure 9. 




Figure 9. Power Distribution Assembly (PDA) Front View. 

Even though the power control devices are solid state 
and can be remotely controlled, they can also be 
controlled and monitored via discrete inputs and 
outputs. This may be an option for those who do not 
wish to add additional wiring for the communications 
data bus. A mechanical button switch accomplishes 
ON/OFF control and a light indicator indicates trips. 
However, this does defeat the purpose of eliminating 
mechanical devices. Even though the human interface 
control is mechanical, the load protection and fault 
detectors are still solid state. 

The Circuit Board Assembly (CBA) that is located on the 
back of the mounting panel can be laid out in an 
arrangement to match the cable harnesses that are 
already in place. This allows the cabling harnesses to be 
reconnected without or with minimal modification. An 
example of the CBA layout is shown in Figure 10. 

To recover the fault data, the data communication bus 
that interconnects SSPCs is embedded into the CBA 
and can be accessed via a maintenance interface port 
to GSE. 




Figure 10. Power Distribution Assembly (PDA Back View. 

For clean sheet designs, the Power Distribution Unit 
(PDU) approach may be more desirable. The approach 
is to use the Open System Architecture (OSA) Common 
Modular Avionics (CMA) housing concept with the 
appropriate modifications to accommodate for the 
thermal differences between a power unit and an 
avionics box. The same approach can be taken to house 
any power conversion units that are required. This 
maintains a commonalty between products and allows 
for easy integration of standard commodity products. 
Figure 1 1 shows an example of an OSA PDU. 




Figure 11. Open System Architecture Power Distribution Unit 
(PDU). 

An example of how the OSA PDUs may be distributed 
throughout a vehicle power architecture is shown in 
Figure 1. It is also possible to locate the SSPC devices 



within each OSA avionics unit. The communication and 
control of each device would remain the same as that 
previously described. 



3. Tidal Wave of Wiring Requirements to Hit Industry, 
Air Safety Week, Vol. 16 No. 27, 15 July 2002. 



CONCLUSION 

It is possible and feasible to design a power architecture 
that can operate autonomously or semi-autonomously 
and provide a measurable increase in safety, efficiency 
and cost reduction. In particular, the new arc detection 
and suppression and wiring degradation detection 
features will help minimize or eliminate a major source 
of vehicle damage/loss and loss of life. The use of such 
techniques will dramatically reduce maintenance and life 
cycle costs, due to reduced repairs and inspection, and 
will minimize or eliminate scheduled replacement of 
wiring harnesses due to fear of in-flight failures! The use 
of state of the art components, in conjunction with 
modern redundancy and fault management techniques, 
will simultaneously increase system reliability, reduce 
system weight, and reduce PMAD costs. At the same 
time, the architecture is flexible enough to meet the 
needs of legacy vehicles as well as clean sheet designs. 
The added fault detection requirements of legacy and 
clean sheet systems are similar, so that the same 
functionality of the PDU devices can be used in both 
cases. The packaging becomes the major driver 
between the two types of vehicle designs. However, due 
to the modularity of the basic design concept, the 
functionality can be scaled to meet either need. For an 
existing design, additional challenges exist; but through 
the use of the inherent flexible design features and the 
use of existing circuit breaker panels or other heritage 
operator interfaces, a highly reliable and fault tolerant 
PMAD system can be used in heritage as well as new 
vehicle designs. 

ACKNOWLEDGMENTS 

Acknowledgment is given to Art Brockschmidt and 
Ishaque Medhi of the Boeing Seattle power group and 
Gary Lee, Isaiah White and Calvin Ling of the Boeing 
Seattle OSA group who have provided technical 
assistance, knowledge and their years of experience 
and patience. We would also like to extend many thanks 
to Bud Westerman of the Boeing Seattle Maintenance, 
Modifications and Repair group for providing us the 
means for researching and developing the Integrated 
Arc Fault Detector and Damaged Wire Detector/Locator 
Module to integrate into our Solid State Power 
Controller. Through Bud's support, we have been able to 
demonstrate the integrated arc fault, wire testing and 
ground maintenance functions that are presented in this 
paper. 

REFERENCES 

1. Switchgear and Control Handbook, 3 rd Edition, 
Robert W. Smeaton and William H. Ubert. 

2. Advanced Aircraft Secondary Power System Design 
D1 80-31 020-1, 16 June 1988. 



DEFINITIONS, ACRONYMS, ABBREVIATIONS 

AC: Alternating Current 

BIT: Built In Test 

CBA: Circuit Board Assembly 

CCDL: Cross Channel Data Link 

CMA: Common Modular Avionics 

COTS: Commercial Off The Shelf 

DC: Direct Current 

DSP: Digital Signal Processor 

DWDL: Damaged Wire Detector/Locator 

FTPM: Fault Tolerant Processor Module 

GFCI: Ground Fault Circuit Interrupt 

GSE: Ground Support Equipment 

IVHM: Integrated Vehicle Health Management 

LRU: Line Replaceable Unit 

OSA: Open System Architecture 

PDA: Power Distribution Assembly 

PDU: Power Distribution Unit 

PMAD: Power Management And Distribution 

PSSCB/S: Programmable Solid State Circuit/Switch 

SSPC: Solid State Power Controller 

SSPCM: Solid State Power Control Module 



